The rules are:
* Should work on any URL (you can optimize our code if you asume the URL length is constant).
* Should not use any other chars except from those 8.
* Should allow arbitrary code to be executed.
* Doesnt matter on which browser works.
* The winner is the one that gets it to work with 7 chars, or less. If no one gets it under 8, then the winner will be the shortest one from a set of non-alphanumeric 8

Ok.. so.. I have to go haha.. our code is 2084 chars long.. so let's see how can we make arbitrary code execute with the smaller set of chars possible.

Yes - but you would at least require 9 characters to have it executable. We need the ! to get to a true or false string. I tried to get rid of the comma but only managed to do it with the pipe character (+[]||[].sort)() ...

Yeah, actually the biggest problem we had was to avoid the use of {}, since we were only using it to get an o.. that's why we chose /, since we used it to do regexes, and then from the regexes get /./.test, but mario found .filter haha, and that's why he rocks so much haha.

So, now the contest applies to alnum and nonalnum! since apparently, with alnum we need 8 chars: eval(nm) to execute code.. is there any smaller alphanumeric set?

I'm totally not following all the progression on this, I just chirped in with an alternative scenario, not to make it smaller or anything, but just to post the idea of using objects as I didn't see it in here. I figured you'd understand without a 1 inch disclaimer.

@rvdh i got your alternative scenario. I'm not for sure how you would tie things together without parenthesis though. Can you get a reference to window or anonymous function using only those 7 chars? If so, you might have another set of 6 that would also work. I'm assuming you can get rid of / since i and n can be obtained from undefined == [][[]]+[].

@.mario awesome! Your full PoC using just []()!+ is 3768 chars. So the challenge remains to shorten to a set of 5 or find the shortest variation with 6 :)

I think the only way now to get it smaller would be changing () for =.. (location=something), since we mostly use () for grouping before concatenation, thing that can also be done with [], and to the final evaluation.. the only problem this has is the reference to window.. we need one (0..constructor.constructor.__parent__ is the best one I can think of, but we dont have _ right? anyway, 0..constructor.constructor.__parent__.location=javascript:eval(name) or something like that).

Now, we should send this to all those stupid wafs that filter document.cookie haha

Note that only 3 sets of () are used. One to get a reference to m and two to execute a string in [].filter.constructor()(). Also, = is only needed for references to true and false. Maybe it is possible to get true/false using only []=+